👤 Awesome Identity and Access Management
In a Standford class on Cloud computing overview, the software stack is presented as such:
This knowledge base cover the far right perimeter of the cloud stack. It is one of the pillar of the cloud ecosystem, bridging the users, the products and the business. The other pillar being billing & payments.
- Zero-trust Network
- Secret Management
- Trust & Safety
- Open-Source Projects
- Competitive Analysis
- IAM definition -
A framework of policies and technologies for ensuring that the proper people in an enterprise have the appropriate access to technology resources.
- As a user, I want _____ - A meta-critic of account management, in which features expected by the business clash with real user needs, in the form of user stories written by a fictional project manager.
- Things end users care about but programmers don't - In the same spirit as above, but broader: all the little things we overlook as developers but users really care about. In the top of that list lies account-centric features, diverse integration and import/export tools. I.e. all the enterprise customers needs to cover.
- Enterprise Information Security - Mozilla's security and access guidelines.
- Mitigating Cloud Vulnerabilities -
This document divides cloud vulnerabilities into four classes (misconfiguration, poor access control, shared tenancy vulnerabilities, and supply chain vulnerabilities).
- Open guide to AWS Security and IAM
- IAM Is The Real Cloud Lock-In - A little click-baity, but author admit that
It depends on how much you trust them to a) stay in business; b) not jack up your prices; c) not deprecate services out from under you; and d) provide more value to you in business acceleration than they take away in flexibility..
The whole authentication stack is based on cryptography primitives. This can't be overlooked.
- Cryptographic Right Answers (summary) - An up to date set of recomendations for developers who are not cryptography engineers.
- Security Recommendations for Any Device that Depends on Randomly-Generated Numbers -
The phrase “random number generator” should be parsed as follows: It is a random generator of numbers. It is not a generator of random numbers..
- Real World Crypto Symposium - Aims to bring together cryptography researchers with developers, focusing on uses in real-world environments such as the Internet, the cloud, and embedded devices.
- An Overview of Cryptography -
This paper has two major purposes. The first is to define some of the terms and concepts behind basic cryptographic methods, and to offer a way to compare the myriad cryptographic schemes in use today. The second is to provide some real examples of cryptography in use today..
- Papers we love: Cryptography - Foundational papers of cryptography.
- Lifetimes of cryptographic hash functions -
If you are using compare-by-hash to generate addresses for data that can be supplied by malicious users, you should have a plan to migrate to a new hash every few years.
Zero trust network security operates under the principle “never trust, always verify.”.
- BeyondCorp - A New Approach to Enterprise Security - Quick overview of Google's Zero-trust Network initiative.
- What is BeyondCorp? What is Identity-Aware Proxy? - More companies add extra layers of VPNs, firewalls, restrictions and constraints, resulting in a terrible experience and a slight security gain. There's a better way.
- oathkeeper - Identity & Access Proxy and Access Control Decision API that authenticates, authorizes, and mutates incoming HTTP requests. Inspired by the BeyondCorp / Zero Trust white paper.
- transcend - BeyondCorp-inspired Access Proxy server.
Are you who you pretend to be?
- Scaling backend authentication at Facebook (slides) - TL;DR: Small root of trust, TLS isn't enough, certificate-based tokens and Crypto Auth Tokens (CATs).
- The new nist password guidance - A summary of NIST Special Publication 800-63B covering new password complexity guidelines.
- Password expiration is dead - Recent scientific research calls into question the value of many long-standing password-security practices such as password expiration policies, and points instead to better alternatives such as enforcing banned-password lists and MFA.
- Banks, Arbitrary Password Restrictions and Why They Don't Matter -
Arbitrary low limits on length and character composition are bad. They look bad, they lead to negative speculation about security posture and they break tools like password managers.
- Dumb Password Rules - Shaming sites with dumb password rules.
- Plain Text Offenders - Public shaming of websites storing passwords in plain text.
- A Well-Known URL for Changing Passwords - Specification defining site resource for password updates.
- How to change the hashing scheme of already hashed user's passwords - You're not stuck with a legacy password hashing algorithm: this explain how to upgrade weak hashing algo.
- An argument for passwordless - Passwords are not the be-all and end-all of user authentication. This article ties to tell you why.
- WebAuthn guide - A very accessible guide to WebAuthn, a standard allowing
servers to register and authenticate users using public key cryptography instead of a password, supported by all major browsers.
- Webauthn and security keys - Describe how authentication works with security keys, details the protocols, and how they articulates with WebAuthn. Key takeaway:
There is no way to create a U2F key with webauthn however. (...) So complete the transition to webauthn of your login process first, then transition registration.
- Getting started with security keys - A practical guide to stay safe online and prevent phishing with FIDO2, WebAuthn and security keys.
- Solo - Open security key supporting FIDO2 & U2F over USB + NFC.
- OpenSK - Open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.
- Beyond Passwords: 2FA, U2F and Google Advanced Protection - An excellent walk-trough over all these technologies.
- A Comparative Long-Term Study of Fallback Authentication - Key take-away:
schemes based on email and SMS are more usable. Mechanisms based on designated trustees and personal knowledge questions, on the other hand, fall short, both in terms of convenience and efficiency.
- How effective is basic account hygiene at preventing hijacking - Google security team's data shows 2FA blocks 100% of automated bot hacks.
- Your Pa$$word doesn't matter - Same conclusion as above from Microsoft:
Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.
- Attacking Google Authenticator - Probably on the verge of paranoia, but might be a reason to rate limit 2FA validation attempts.
- Compromising online accounts by cracking voicemail systems - Or why you should not rely on automated phone calls as a method to reach the user and reset passwords, 2FA or for any kind of verification. Not unlike SMS-based 2FA, it is currently insecure and can be compromised by the way of its weakest link: voicemail systems.
- Getting 2FA Right in 2019 - On the UX aspects of 2FA.
TL;DR: don't. For details, see articles below.
- SMS 2FA auth is deprecated by NIST - NIST has said that 2FA via SMS is bad and awful since 2016.
- SMS: The most popular and least secure 2FA method
- Is SMS 2FA Secure? No. - Definitive reasearch project demonstrating successful attempts at SIM swapping.
- Hackers Hit Twitter C.E.O. Jack Dorsey in a 'SIM Swap.' You're at Risk, Too.
- AT&T rep handed control of his cellphone account to a hacker
- The Most Expensive Lesson Of My Life: Details of SIM port hack
- SIM swap horror story
- AWS is on its way to deprecate SMS-based 2FA -
We encourage you to use MFA through a U2F security key, hardware device, or virtual (software-based) MFA device. You can continue using this feature until January 31, 2019.
Public-Key Infrastructure (PKI)
- PKI for busy people - Quick overview of the important stuff.
- Everything you should know about certificates and PKI but are too afraid to ask - PKI lets you define a system cryptographically. It's universal and vendor neutral.
lemur- Acts as a broker between CAs and environments, providing a central portal for developers to issue TLS certificates with 'sane' defaults.
JSON Web Token is a bearer's token.
- Introduction to JSON Web Tokens - Get up to speed on JWT with this article.
- Learn how to use JWT for Authentication - Learn how to use JWT to secure your web app.
- Using JSON Web Tokens as API Keys - Compared to API keys, JWTs offers granular security, homogenous auth architecture, decentralized issuance, OAuth2 compliance, debuggability, expiration control, device management.
- Managing a Secure JSON Web Token Implementation - JWT has all sorts of flexibility that make it hard to use well.
- Blacklisting JSON Web Token API Keys - On token invalidation.
- Stop using JWT for sessions, and Why your "solution" doesn't work - Stateless JWT tokens cannot be invalidated or updated, and will introduce either size issues or security issues depending on where you store them. Stateful JWT tokens are functionally the same as session cookies, but without the battle-tested and well-reviewed implementations or client support.
- JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
- JOSE is a Bad Standard That Everyone Should Avoid - TL;DR: the standards are either completely broken or complex minefields hard to navigate.
- JWT.io - Allows you to decode, verify and generate JWT.
OAuth2 & OpenID
The old OpenID is dead; the new OpenID Connect is very much not-dead.
- An Illustrated Guide to OAuth and OpenID Connect - Explain how these standards work using simplified illustrations.
- OAuth 2 Simplified - A reference article describing the protocol in simplified format to help developers and service providers implement it.
- How to Implement a Secure Central Authentication Service in Six Steps - Got multiple legacy systems to merge with their own login methods and accounts? Here is how to merge all that mess by the way of OIDC.
- Open-Sourcing BuzzFeed's SSO Experience - OAuth2-friendly adaptation of the Central Authentication Service (CAS) protocol. You'll find there good OAuth user flow diagrams.
- The Decline of OpenID - OpenID is being replaced in the public web to a mix of OAuth 1, OAuth 2 or other proprietary SSO protocols.
- Why Mastercard Doesn't Use OAuth 2.0 -
They did this to provide message-level integrity. OAuth 2 switched to Transport-level confidentiality/Integrity.(which TLS provides) (source).
- Hydra - Open-source OIDC & OAuth2 Server.
- Cierge - Open-source authentication server (OIDC) that handles user signup, login, profiles, management, and more.
- Keycloak - Open-source Identity and Access Management. Supports OIDC, OAuth 2 and SAML 2, LDAP and AD directories, password policies.
SAML 2.0 is a means to exchange authorization and authentication between services, like OAuth/OpenID protocols above.
Typical SAML identity prodiver is an insitution or a big corporation's internal SSO, while the typical OIDC/OAuth provider is a tech company that runs a data silo.
- How SAML 2.0 Authentication Works - Overview of the how and why of SSO and SAML.
- Web Single Sign-On, the SAML 2.0 perspective - Another naive explanation of SAML workflow in the context of corporate SSO implementation.
Now that we know you are you, are you allowed to perform what you want to do?
- Role Based Access Control - NIST project to explaine RBAC concepts, costs and benefits, the economic impact of RBAC, design and implementation issues, the RBAC standard, and advanced research topics.
- Semantic-based Automated Reasoning for AWS Access Policies using SMT - Zelkova is AWS's system performing symbolic analysis of IAM policies to solve the reachability of resources according user's rights and access constraints. Also see the higher-level introduction given at re:inforce 2019.
- Zanzibar: Google's Consistent, Global Authorization System - scales to trillions of access control lists and millions of authorization requests per second to support services used by billions of people. It has maintained 95th-percentile latency of less than 10 milliseconds and availability of greater than 99.999% over 3 years of production use. Other bits not in the paper.
keto- Policy decision point. It uses a set of access control policies, similar to AWS IAM Policies, in order to determine whether a subject is authorized to perform a certain action on a resource.
ladon- Access control library, inspired by AWS IAM Policies.
- Description of an authz system that is built around labeled security and RBAC concepts.
- Become an AWS IAM Policy Ninja -
In my nearly 5 years at Amazon, I carve out a little time each day, each week to look through the forums, customer tickets to try to find out where people are having trouble.. Policy specification is the science, enforcement is the art.
A clever curiosity to distribute and delegate authorization.
- Google's Macaroons in Five Minutes or Less - TL;DR: if I'm given a Macaroon that authorizes me to perform some action(s) under certain restrictions, I can non-interactively build a second Macaroon with stricter restrictions that I can then give to you.
- Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud - Google's original paper.
- Google paper's author compares Macaroons and JWTs - TL;DR: As a consumer/verifier of macaroons, they allow you (through third-party caveats) to defer some authorization decisions to someone else. JWTs don't.
Architectures, software and hardware allowing the storage and usage of secrets to allow for authentication and authorization, while maintaining the chain of trust.
- Secret at Scale at Netflix (slides) - Solution based on blind signatures.
- High Availability in Google's Internal KMS (slides) - Not GCP's KMS, but the one at the core of their infrastructure.
vault- Secure, store and tightly control access to tokens, passwords, certificates, encryption keys.
sops- Encrypts the values of YAML and JSON files, not the keys.
gitleaks- Audit git repos for secrets.
- Keywhiz - A system for managing and distributing secrets, which can fit well with a service oriented architecture (SOA).
roca- Python module to check for weak RSA moduli in various key formats.
Hardware Security Module (HSM)
HSMs are physical devices guaranteeing security of secret management at the hardware level.
- HSM: What they are and why it's likely that you've (indirectly) used one today - Really basic overview of HSM usages.
- Tidbits on AWS Cloud HSM hardware - AWS CloudHSM Classic is backed by SafeNet's Luna HSM, current CloudHSM rely on Cavium's Nitrox, which allows for partitionable "virtual HSMs".
- CrypTech - An open hardware HSM.
- Keystone - Open-source project for building trusted execution environments (TEE) with secure hardware enclaves, based on the RISC-V architecture.
- Project Oak - A specification and a reference implementation for the secure transfer, storage and processing of data.
- Everybody be cool, this is a robbery! - A case study of vulnerability and exploitability of a HSM (in French, sorry).
Trust & Safety
Once you've got a significant user base, it is called a community. You'll then be responsible to protect it: the customer, people, the company, the business, and facilitate all interactions and transactions happening therein.
A critical intermediation component driven by a policy and constraint by local laws, likely embodied by a cross-functionnal team of 24/7 operators and systems of highly advanced moderation and administration tools. You can see it as an extention of customer support, specialized in edge-cases like manual identity checks, moderation of harmful content, stopping harrassments, handling of warrants and copyright claims, data sequestration and other credit card disputes.
- Trust and safety 101 - A great introduction on the domain and its responsabilities.
- What the Heck is Trust and Safety? - A couple of real use-case to demonstrate the role of a TnS team.
- Still Logged In: What AR and VR Can Learn from MMOs -
If you host an online community, where people can harm another person: you are on the hook. And if you can't afford to be on the hook, don't host an online community. All online communities, not only those related to gaming, requires their operator to invest a lot of resource and energy to moderate it.
- Awesome List of Billing and Payments: Fraud links - Section dedicated to fraud management for billing and payment, from our sister repository.
Most businessese do not collect customer's identity to create user profiles to sell to third party, no. But you still have to: local laws require to keep track of contract relationships under the large Know You Customer (KYC) banner.
- The Laws of Identity - Is this paper aims at identity metasystem, its laws still provides great insights at smaller scale, especially the first law: to always allow user control and ask for consent to earn trust.
- A Comparison of Personal Name Matching: Techniques and Practical Issues - Customer name matching has lots of application, from account deduplication to fraud monitoring.
hive- User & Identity Provider & Management.
Providing services, you're exposed to fraud, crime and abuses. You should never underestimate how much cleverer than you people will be when it comes to money. And expect any bug or discrpencies in your procedure to be exploited for financial gain.
- After Car2Go eased its background checks, 75 of its vehicles were stolen in one day. - Why background check are sometimes necessary.
- Investigation into the Unusual Signups - A really detailed analysis of suspicious contributor signups on OpenStreetMap. This beautiful and high-level report demonstrating an orchestrated and directed campaign might serve as a template for fraud reports.
- MIDAS: Detecting Microcluster Anomalies in Edge Streams - A proposed method to
detects microcluster anomalies, or suddenly arriving groups of suspiciously similar edges, in edge streams, using constant time and memory..
- Browser Fingerprinting: A survey - Fingerprints can be used as a source of signals to identify bots and fraudsters.
- MISP taxonomies and classification - Tags to organize information on
threat intelligence including cyber security indicators, financial fraud or counter-terrorism information.
- The challenges of file formats - At one point you will let users upload files in your system. Here is a corpus of suspicious media files that can be leveraged by scammers =to bypass security or fool users.
The first mecanical line of defense against abuses consist in plain and simple black-listing. You'll be surprised how they still are effective.
- Bloom Filter - Perfect for this use-case, as blom filters are designed to quickly check if an element is not in a (large) set. Variations of bloom filters exist for specific data types.
- How Radix trees made blocking IPs 5000 times faster - Radix trees might come handy to speed-up IP blacklists.
Hostnames and Subdomains
Useful to identified clients, catch and block swarms of bots, and limit effects of dDOS.
hosts- Consolidates reputable hosts files, and merges them into a unified hosts file with duplicates removed.
- The Public Suffix List - Mozilla's registry of public suffixes, under which Internet users can (or historically could) directly register names.
- Certificate Transparency Subdomains - An hourly updated list of subdomains gathered from certificate transparency logs.
- Subdomain blacklists: #1, #2, #3, #4.
xkeyscorerules100.txt- NSA's XKeyscore matching rules for TOR and other anonymity preserving tools.
- Burner email providers - A list of temporary email providers. And its derivated Python module.
- MailChecker - Cross-language temporary (disposable/throwaway) email detection library.
- Temporary Email Address Domains - A list of domains for disposable and temporary email addresses. Useful for filtering your email list to increase open rates (sending email to these domains likely will not be opened).
A ruby gem to check if the owner of a given email address or website is working for THE MAN (a.k.a verifies government domains).Good resource to hunt for potential government customers in your user base.
- General List of Reserved Words - This is a general list of words you may want to consider reserving, in a system where users can pick any name.
- Hostnames and usernames to reserve - List of all the names that should be restricted from registration in automated systems.
- List of Dirty, Naughty, Obscene, and Otherwise Bad Words - Profanity blacklist from Shutterstock.
Another line of defense againsts spammers.
- reCaptcha - reCaptcha is still an effective, economical and quick solution when your company can't afford to have a dedicated team to fight bots and spammers at internet scale.
- Anti-captcha - Captchas solving service.
As the guardian of user's data, the IAM stack is deeply bounded by the respect of privacy.
- Paper we love: Privacy - A collection of scientific studies of schemes providing privacy by design.
- IRMA Authentication - Open-source app and protocol that offers privacy-friendly attribute based authentication and signing using Camenisch and Lysyanskaya's Idemix.
- Have I been Pwned? - Data breach index.
- Automated security testing for Software Developers - Most privacy breaches were allowed by known vulnerabilities in third-party dependencies. Here is how to detect them by the way of CI/CD.
As a central repository of user data, the IAM stack stakeholders have to prevent any leakage of business and customer data. To allow for internal analytics, anonymization is required.
- The False Allure of Hashing for Anonymization - Hashing is not sufficient for anonymization no. But still it is good enough for pseudonymization (which is allowed by the GDPR).
- Four cents to deanonymize: Companies reverse hashed email addresses -
Hashed email addresses can be easily reversed and linked to an individual.
- Why differential privacy is awesome - Explain the intuition behind differential privacy, a theoretical framework which allow sharing of aggregated data without compromising confidentiality. See follow-up articles with more details and pracical aspects.
- k-anonymity: an introduction - An alternative anonymity privacy model.
- Presidio - Context aware, pluggable and customizable data protection and PII data anonymization service for text and images.
- Diffix: High-Utility Database Anonymization - Diffix try to provide anonymization, avoid pseudonymization and preserve data quality. Written in Elixir at Aircloak, it acts as an SQL proxy between the analyst and an unmodified live database.
The well-known European privacy framework
- GDPR Tracker - Track the GDPR compliance of cloud services and subprocessors.
- GDPR documents - Templates for personal use to have companies comply with "Data Access" requests.
- Ship Your Enemies GDPR - Weaponizing GDPR to help you send your enemies a Data Requests designed to waste as much of their time as possible.
- GDPR Enforcement Tracker - List of GDPR fines and penalties.
As stakeholder of the IAM stack, you're going to implement in the backend the majority of the primitives required to build-up the sign-up tunnel and user onboarding. This is the first impression customers will get from your product, and can't be overlooked: you'll have to carrefully design it with front-end experts. Here is a couple of guides to help you polish that experience.
- The 2020 State of SaaS Product Onboarding - Covers all the important facets of user onboarding.
- User Onboarding Teardowns - A huge list of deconstructed first-time user signups.
- Conversion Optimization - A collection of tactics to increase the chance of users finishing the account creation funnel.
- Trello User Onboarding - A detailed case study, nicely presented, on how to improve user onboarding.
- Don't get clever with login forms - TL;DR: create login forms that are simple, linkable, predictable, and play nicely with password managers.
- Why are the username and password on two different pages? - TL;DR: to support both SSO and password-based login. Now if breaking the login funnel in 2 steps is too infuriating to users, solve this as Dropbox does: an AJAX request when you enter your username.
- HTML attributes to improve your users' two factor authentication experience -
In this post we will look at the humble <input> element and the HTML attributes that will help speed up our users' two factor authentication experience.
- Remove password masking - Summarises the results from an academic study investigating the impact removing password masking has on consumer trust.
- For anybody who thinks "I could build that in a weekend," this is how Slack decides to send a notification - Notifications are hard. Really hard.
A bunch of resources to keep track of the current status and progress of all companies operating in the domain.
- AWS Security, Identity & Compliance announcements.
- GCP IAM release notes - Also of note: Identity, Identity Platform, Resource Manager, Key Management Service/HSM, Access Context Manager, Identity-Aware Proxy, Data Loss Prevention and Security Scanner.
- Unofficial Weekly Google Cloud Platform newsletter - Relevant keywords:
- DigitalOcean Platform changelog
- cryptoanarchy.wiki - Cypherpunks overlaps with security. This wiki compiles information about the movement, its history and the people/events of note.